ProHoster > Блог > izindaba ze-inthanethi > I-Apache 2.4.46 http yokukhululwa kweseva enokukhubazeka okulungisiwe

I-Apache 2.4.46 http yokukhululwa kweseva enokukhubazeka okulungisiwe

eshicilelwe ukukhishwa kweseva ye-Apache HTTP 2.4.46 (ukukhishwa okungu-2.4.44 kanye no-2.4.45 kweqiwe), eyethula 17 izinguquko futhi iqedwe 3 ubuthakathaka:

  • I-CVE-2020-11984 - ukuchichima kwebhafa kumojuli ye-mod_proxy_uwsgi, engaholela ekuvuzeni kolwazi noma ekukhishweni kwekhodi kuseva lapho kuthunyelwa isicelo esiklanywe ngokukhethekile. Ukuba sengozini kuxhashazwa ngokuthumela unhlokweni omude kakhulu we-HTTP. Ukuze kuvikelwe, ukuvinjwa kwezihloko ezinde kuno-16K kungeziwe (umkhawulo ochazwe ekucacisweni kwephrothokholi).
  • I-CVE-2020-11993 — ukuba sengozini kumojula ye-mod_http2 evumela inqubo ukuthi iphahlazeke lapho kuthunyelwa isicelo ngesihloko esiklanywe ngokukhethekile se-HTTP/2. Inkinga izibonakalisa lapho ukulungisa iphutha noma ukulandelela kunikwe amandla kumojuli ye-mod_http2 futhi kubonakala enkohlakalweni yokuqukethwe yinkumbulo ngenxa yesimo somjaho lapho ulondoloza ulwazi kulogi. Inkinga ayiveli uma i-LogLevel isethelwe “kulwazi”.
  • I-CVE-2020-9490 — ukuba sengozini kumojula ye-mod_http2 evumela inqubo ukuthi iphahlazeke lapho kuthunyelwa isicelo nge-HTTP/2 enenani lesihloko eliklanywe ngokukhethekile le-'Cache-Digest' (ukuphahlazeka kwenzeka uma uzama ukwenza umsebenzi we-HTTP/2 PUSH kusisetshenziswa) . Ukuze uvimbele ukuba sengozini, ungasebenzisa isilungiselelo esithi “H2Push off”.
  • I-CVE-2020-11985 - Ukuba sengozini kwe-mod_remoteip, okukuvumela ukuthi uhlasele amakheli e-IP ngesikhathi sokusebenza njengommeleli usebenzisa i-mod_remoteip ne-mod_rewrite. Inkinga ivela kuphela ekukhishweni kwe-2.4.1 kuya ku-2.4.23.

Izinguquko ezingavikeleki eziphawuleka kakhulu yilezi:

  • Ukusekelwa kokucaciswa okusalungiswa kususiwe ku-mod_http2 kazuho-h2-cache-digest, ukukhushulwa kwakhe kumisiwe.
  • Kushintshwe ukuziphatha komyalelo othi "LimitRequestFields" ku-mod_http2; ukucacisa inani elingu-0 manje kukhubaza umkhawulo.
  • I-mod_http2 inikeza ukucutshungulwa koxhumano oluyisisekelo nolwesibili (oluyinhloko/olwesibili) kanye nokumaka izindlela kuye ngokusetshenziswa.
  • Uma okuqukethwe kwesihloko okungalungile Kokugcina Kushintshwe kwamukelwe kuskripthi se-FCGI/CGI, lesi nhlokweni manje siyakhishwa esikhundleni sokushintshwa ngesikhathi se-Unix.
  • Umsebenzi we-ap_parse_strict_length() wengezwe kukhodi ukuze kuncozululwe ngokuqinile usayizi wokuqukethwe.
  • I-ProxyFCGISetEnvIf ye-Mod_proxy_fcgi iqinisekisa ukuthi okuguquguqukayo kwemvelo kuyasuswa uma isisho esinikeziwe sibuyisela Amanga.
  • Kulungiswe isimo somjaho kanye nokuphahlazeka okungenzeka kwe-mod_ssl uma usebenzisa isitifiketi seklayenti esicaciswe ngokulungiselelwa kwe-SSLProxyMachineCertificateFile.
  • Ukuvuza kwememori okulungisiwe ku-mod_ssl.
  • mod_proxy_http2 inikeza ukusetshenziswa kwepharamitha yommeleli "ping»uma uhlola ukusebenza koxhumano olusha noma oluphinde lwasetshenziswa ku-backend.
  • Kumiswe ukubopha i-httpd ngenketho ethi "-lsystemd" lapho i-mod_systemd inikwe amandla.
  • I-mod_proxy_http2 iqinisekisa ukuthi ukulungiselelwa kwe-ProxyTimeout kuyacatshangelwa lapho kulindwe idatha engenayo ngoxhumo oluya ngemuva.

Source: opennet.ru